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Abstract. In this article we present a method for formally proving the correctness of the 
lazy algorithms for computing homographic and quadratic transformations — of which field 
operations are special cases — on a representation of real numbers by coinductive streams. 
The algorithms work on coinductive stream of Mobius maps and form the basis of the 
Edalat -Potts exact real arithmetic. We use the machinery of the Coq proof assistant for the 
coinductive types to present the formalisation. The formalised algorithms are only partially 
productive, i.e., they do not output provably infinite streams for all possible inputs. We 
show how to deal with this partiality in the presence of syntactic restrictions posed by the 
constructive type theory of Coq. Furthermore we show that the type theoretic techniques 
that we develop are compatible with the semantics of the algorithms as continuous maps 
on real numbers. The resulting Coq formahsation is available for public download. 



Introduction 

Exact real numbers constitute one of the prime examples of infinite objects in computer 
science. The ubiquity and theoretical importance of real numbers as well as recent safety- 
critical applications of exact arithmetic makes them an important candidate for applying 
various approaches to formal verification. Among such approaches one that is tailor-made 
for infinite objects is coinductive reasoning. A careful coinductive formalisation of real 
numbers has two advantages: (1) it provides a certified package of exact arithmetic; (2) it 
gives valuable insight into various notions of coinductive proof principles that can contribute 
to the area of formal verification for infinite objects. 

Coinductive reasoning is dual to the usual approach of using algebraic and inductive 
data types both for computation and reasoning and can be studied from a set theoreti- 
cal |BM96] ■ category theoretical |JR97j . or type theoretical |Coq94| point of view. In all 
these settings the coinductive structure of real numbers is usually expressible as streams 
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which have a simple and well-understood shape. Although there are other coinductive ob- 
jects (e.g. expression trees JEP97J ) modelling exact real numbers, the stream approach 
has proven to be expressible enough for most computational purposes. In this approach 
a real number r is represented by a stream of nested intervals whose intersection is the 
singleton {r}. This approach has always been the basis of representing real numbers, as 
the usual decimal representation is an instance of this representation with digits denoting 
interval-contracting maps. Because of this, much work has been done in the study and 
implementation of various algorithms for specific stream based representations. In this con- 
text one rather generic approach is the work by Edalat et al. |EP971 [PEE97t IPot981 IEH02] . 
There the authors develop the general framework of representations using linear fractional 
transformations that covers all known representations of real numbers that are based on 
streams of nested intervals. In particular the Edalat-Potts normalisation algorithm is a 
unified algorithm for computing all elementary functions on real numbers. 

The present work is part of the ongoing project of the author for formalising and 
verifying the Edalat-Potts normalisation algorithm. We use the constructive type theory 
extended with coinductive types to implement and formalise the homographic and quadratic 
algorithms. These algorithms originated in the exact continued fraction arithmetic [Gos72t 
IVui90t ILesOl] and form the basis of the Edalat-Potts algorithm. The two algorithms suffice 
for equipping the stream representations of real numbers with a field structure and thus 
are important in themselves both from a theoretical and a practical point of view. The 
theoretical importance is highlighted when we consider our work as a solution to the problem 
of equipping the coalgebraic structure of real numbers with the algebraic properties of a field. 
This is due to the innate relationship between coinductive types and final coalgebras which 
we mention in Section [TJ 

We use the machinery of the Coq proof assistant for coinductive types to present the 
formalisation. Throughout the article we use a syntax loosely based on the Coq syntax, 
adapted for presenting in an article. We present definitions and lemmas, depending on the 
usage context, as a Coq declaration (bound between two horizontal bars) or as ordinary 
mathematical expressions. Regarding lemmas we follow this convention: If a lemma is to 
be used as a Coq subterm of another lemma or definition then we will present its statement 
as a Coq declaration so that it gets a reusable name; otherwise we present it as an ordinary 
numbered lemma. In order to improve the legibility of the Coq declarations we use the 
curried version of the functions within Coq declarations, e.g. Fab will be used in Coq 
mode and F{a, b) within the text. All the lemmas in this article are formalised and proven 
in Coq, a list of their machine checked counterparts is given in Appendix |Bl Most of the 
proofs of lemmas are omitted in the paper, however in some cases the proof is given in 
human language. In any case all the machine checked version of the statements and proofs 
of all the lemmas and theorems can be found in the complete Coq formalisation of the 
material in this article which is available for download in |Niq07a| . 

Related Work. The stream representation of exact real numbers have been recently 
formalised in a coinductive setting by Ciaffaglione and Di Gianantonio |CDG06( ICia03] . 
Bertot [Ber07] , Hou |Hou06] and Gibbons [Gib07| . Ciaffaglione and Di Gianantonio use 
the Coq proof assistant to formalise a representation of real numbers in [—1, 1] as ternary 
streams and to prove that paired with the natural number exponents they form a complete 
Archimedean ordered field. Bertot — using Coq as well — formalises a ternary represen- 
tation of [0, 1] using affine maps and formalises affine operations (multiplying by scalars). 
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addition, multiplication and infinite sums. Hou studies two coinductive representations 
of signed ternary digits and Cauchy sequences considered as streams, proves their equiv- 
alence using set-theoretic coinduction and defines the addition via the average function. 
Gibbons, as an application of his notion of metamorphism, shows how one can transform 
various stream representations of real numbers and use the same algorithms for different 
representations. 

Our work, while related, is different from all of the above, in that we formalise two 
powerful algorithms that give us all field operations on real numbers, including division 
which seems to be the most difficult one in the other approaches. Furthermore due to 
the expressiveness of the Edalat-Potts framework, the algorithms that we formalise are in 
principle independent of any specific representation. For presentation purposes we use a 
specific representation, but our correctness proof can be adapted for other representations. 
This is because the correctness proofs have several layers and only one aspect of them is 
dependent upon the metric properties of the used representation. The coinductive aspect of 
our work is related to the above work. For example we follow Bertot's and Hou's idea of using 
a coinductive predicate to link real numbers and the streams representing them [BerOSaj 
IBer07t IHouOGj . From a type theoretic point of view the notion of co fixed point equations 
has a central role in our development distinguishing it from the above work. 

From a historical perspective, the Edalat-Potts algorithm was a step in designing a 
programming language with a built-in abstract data-type for real numbers |PEE97] . in 
line with the work by Di Gianantonio [DG93J and Escardo |Esc97] . The trade-off between 
the expressibility and the existence of parallelism in these work led to some improvements 
on the domain theoretic semantics of the Edalat-Potts algorithm, e.g. as in the recent 
work in |MRE07] where a sequential language with a non-deterministic cotransitivity test 
is proposed. This line of research is an instance of the extensional approach to exact real 
arithmetic while our work in which we have direct access to the digits of the representa- 
tion is a study in the intensional exact arithmetic in the sense of |BES02j . However, the 
actual programs written in the extensional approach do have a coalgebraic nature and are 
essentially formalisable in the coinductive type theory. 

In other related work, Pavlovic and Pratt [PPOOj study the order properties of the 
continuum as the final coalgebra for the list functor and stream functor in category Set by 
specifying Cantor space and Baire space in terms of these functors. However, by charac- 
terising the continuum only up to its order type, their construction does not address the 
algebraic properties of real numbers. Freyd gives another characterisation of Dedekind re- 
als (see |Joh021 § D4.7]) in terms of the diagonalisation of a 'wedge' functor in a category 
of posets. In [ESOl] the unit interval is constructed as an initial algebra and the Cauchy 
completeness is defined by uniqueness of a morphism from a coalgebra to an algebra. The 
big picture that we are working on, i.e., the formalisation of the Edalat-Potts normalisa- 
tion algorithm is related to the work in |PE981 ISim98[ IPat03| that reconcile the coalgebraic 
structure of real numbers with algebraic operations on them. 

The general issue of formalising functions from streams to streams within logical frame- 
works is studied by |MPC86| IPau94| (using Knaster-Tarski's fixed point theorem) and 
|Mat991 IDGM 03] (using Banach-Mazur's fixed point theorem). Finally, the recent work 
in |GHP06j tackles this problem by internalising the notion of productivity in a single data 
type for all such functions. Productive functions are those functions on infinite objects 
that produce provably infinite output. The above formalisations all focus on formalising 
total productive functions. This is not surprising, given that in type theory we deal with 
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total functions. However, from the programmer's point of view, it might be desirable to 
have a way of dealing with partial functions. Our work differs from the above in that 
we embark on formalising partial algorithms on infinite objects. In this sense our work 
is related to the work on formalising general recursion for partial functions on inductive 
types |DDG98llBC0T] . 

Finally, our focus on the partial productivity is related to the aforesaid domain-theoretic 
semantics [Esc971 where partial real numbers are denoted by interval and the strong con- 
vergence (akin to our notion of productivity) of the functions is studied [M RE07J . This 
relationship is not a coincidence as manifested by the original analytic proof of adequacy 
for the Edalat-Potts algorithm |PEE97] . 

1. Type Theoretic Coinduction 

The Coq proof assistant }CDT06j is an implementation of Calculus of Inductive Con- 
structions (CIC) extended with coinductive types. This is is an extension of Martin-Lof 
intensional type theory. Coinductive types are intended for accommodating infinite objects 
such as streams and infinite trees in type theory [MPC86J . This is in contrast to inductive 
types which are accommodating well-founded and thus essentially finitistic objects such as 
natural numbers and trees. The coinductive types were added to Coq by Gimenez |Gim96j . 
Their implementation follows the same philosophy as that of inductive types in CIC, namely 
there is a general scheme that allows for formation of coinductive types if their constructors 
are given, and if these constructors satisfy the strict positivity condition. The definition of 
a strictly positive constructor is identical for inductive and coinductive types and similar to 
that of a monomial endofunctor (i.e., an endofunctor involving products and exponentials). 
Intuitively a constructor c is strictly positive with respect to x only if x does not appear 
to the left of a — >• in a nested occurrence of — > in the type of c. A formal definition can be 
found in jPM92| . This means that the following forms an inductive (resp. coinductive) type 
/ in Coq, provided that the keyword Inductive (resp. Coinductive) is given and that all 
Cj's are strictly positive constructors with respect to I. 

(Co) Inductive I (xi : XO . . . (xji Xi) : V(yi: YO ■ ■ ■ ii/m- ^m), s: = 
Ici: V(zii : Zii) . . . (zifc-^ : Zifci), I til ••• tim+j 



lc„: VCZni: Znl) ■ ■ ■ iZnkn'- Znkn^ , /til • • • t 



nm+i • 



In such a declaration s is a sort,i.e., s G {Set, Prop, Type }. Moreover XjS (resp. y^s) 
are general (resp. recursive) parameters of /. 

For example one can define the set of streams as 



Coinductive Streams (A : Set) : Set : = 
I Cons : A -^ Streams A -^ Streams A. 



Note that this is a polymorphic type forming the streams of elements of its general 
parameter A. From now on we shall use A^ to denote the type Streams A. 

After a coinductive type is defined one can introduce its inhabitants and functions 
into it. Such definitions are given by a cofixed point operator. This operator is similar to 
the fixed point operator for structural recursion. When given a well-typed definition that 
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satisfies a guardedness condition, this operator will introduce an infinite object that inhabits 
the coinductive type. 

The typing rule for this operator is given by the following judgement (here, let I be a 
coinductive type with parameters Pq, . . . ,Pi). 

TJ: Bh N: B 
^^^.^ ^^^^ B = yxo:Xo,...,Xj:Xj,{I Pp ... P,) G{f,B,N) 

T \- COV\X f : B := N : B 

According to this rule, if /, B and A^ satisfy the side condition G then cofix / is an 
inhabitant of type B which is a function type with as codomain a coinductively defined 
type. In this case A'^ is the body of the definition which may contain /. The side condition 
G{f,B,N) is called the Coq guardedness condition and is a syntactic criterion that is 
intended to ensure the productivity of infinite objects. This condition checks whether the 
declaration of / is guarded by constructors. This means that every occurrence of / in the 
body A^ should be the immediate argument of a constructor of some inductive or coinductive 
type. Note that it need not be the argument of only the constructors of /, and that the 
constructors can accumulate on top of each other. Thus / occurs guarded if it occurs as 
co(ci . . . {cm /)•••) where each Cj is a constructor of some inductive or coinductive type I^. 
This condition is due to Gimenez |Gim96j and is based on earlier work of Coquand |Coq94| . 
A precise definition of G can be found in [Gim96t p. 175]. 

Finally we mention the reduction (in fact expansion) rule corresponding to the COfix 
operator. Let F = COfix g: B := N. Then the cofixed point expansion is the following rule. 

match (F Pq . . . Pj): X with \ vq ^ Rq \ . . . \ r^ => Rk end -w 

match {N[g ^ F] Pq . . . Pj) : X with | tq ^ i?o I • • • I ^fc =^ -Rfc end . 

Thus, the expansion of a cofixed point is only allowed when a case analysis of the cofixed 
point is done. 

It is well-known that coinductive types correspond to weakly final coalgebras in cat- 
egorical models of intensional type theory [HagST]. From a coalgebraic point of view this 
treatment of coinductive types by means of constructors and cofixed point operator might 
seem unnatural: final coalgebras are about observations and not constructions; final coalge- 
bra should be given using its destructor. Nevertheless, presenting the coinductive types in 
the Cooway, is much closer to the syntax of lazy functional programming languages such as 
Haskel]j and hence very useful for many applications. Moreover, as we show in Section [3l 
one can use Coq to define a general form of productive functions, allowing one to build 
more complicated coalgebraic structures. In any case, theoretically this does not change 
the coalgebraic semantics and the coinductive types can still be interpreted as weakly fi- 
nal coalgebras in any categorical model of CIC (see |AAG05J where a stronger results is 
proven). Furthermore, the usual coiteration and corecursion schemes can be derived in 
terms of the operator COfix |Gim95j . Therefore the method that we present in this article 
using the language of Coq can easily be translated into the standard categorical notations 
in any categorical model of CICo. 



Note that in Haskell — where there is no distinction between inductive and coinductive types — all 
data-types can be considered to be potentially infinite and hence correspond to Coq's coinductive types. 

o 

In fact, in the present article we do not need the universes in CIC and therefore categorical models of 
simpler extensions of Martin-L6f type theory — such as Martin-L6f categories of Abbott et al [AAG05) — 
will suffice. 
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The guardedness condition of Coq is one among many syntactic criteria for ensuring pro- 
ductivity. Examples include corecursion |Geu92| . dual of course of value recursion |UV99j . 
T-coiteration for pointed functors |Len99j . X-coiteration for distributive laws [Ba rOlj and 
bialgebraic T-coiteration [CHL03J . each handling an ever expanding class of specifications. 
However, the productivity of the algorithms on real numbers cannot be syntactically de- 
tected. In fact the productivity of the standard filter function on stream of natural numbers 
with the following specification is also not decidable (here P is a boolean predicate on nat- 
ural numbers and we use x:: xs to denote Cons x xs). 

, , \x:: filterxs if P(x) , 

filter [x:: xs) := < . 

[filter xs other^vise. 

By suitably choosing P one can reduce the problem of the productivity of the above function 
to an open problem in mathematics; see |Niq04[ Example 4.7.6] for a choice of P which shows 
that the productivity of the above function is equivalent to whether there are infinitely many 
twin prime numbers. 

Therefore it seems that providing syntactic productivity tests cannot cover the most 
general class of recursive specifications for infinite objects. One possible solution is to 
adhere to semantic means in order to be able to formalise such programs using one of 
the above schemes. For instance, for the case of filter on prime numbers, one has to (1) 
consider a number theoretic constructive proof of the infinitude of primes, (2) from this 
proof extract a function k that returns the rath prime number, (3) use k to rewrite filter in 
a way that it passes syntactic tests of productivity, i.e., using one of the above syntactic 
schemes |Niq07c[ [N"iq04[ § 4.7]. 



Another work-around, one that we follow in this article, is to adhere to advanced type- 
theoretic methods to bypass this condition. This is similar to the application of dependent 
inductive types for formalising general recursion using structural recursion |DDG98|IBC01j . 
For coinductive types this has led to a method of general corecursion for filter-like func- 
tions [BerOSb] and a similar method that we use in Section [3] for formalising the homographic 
and quadratic algorithms in Coq. 

The COfix operator and its expansion rule together with the guardedness condition 
constitute the machinery of the Coq system for coinductive types. This means that there is 
no separate tool for proofs by coinduction. This is in contrast to the set-theoretic greatest 
fixed point semantics for coinduction where for each coinductive object a coinduction proof 
principle is present which is inherent in the monotonicity of the set operator |BM96j . Instead 
in the type theoretic approach, where proofs are objects too, we use the COfix operator to 
directly build the coinductive proof as a proof object. This means that whenever we want 
to prove by coinduction, our goal should be a coinductive type. If necessary, specialised 
coinductive predicates should be created for formalising a proof that uses coinduction. These 
additional predicates are in most cases straightforward reformulation of the corresponding 
set-theoretic proof principle (cf. the extensional equality = below). However, sometimes 
special care has to be taken to overcome the restrictions put forward by the guardedness 
condition (cf. rep in Section [4j). As a result, Coq^s direct approach to coinduction makes 
the coinductive proofs easier than their set-theoretic counterparts as long the guardedness 
condition does not get in the way. 

For proving equalities by coinduction, in coalgebraic and set-theoretic settings one 
relies on the notion of bisimulation [BM96irjR97j . In the case of streams, a bisimulation is 
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a binary relation R satisfying the property that 

R{a,(3) =^ hd(a) = hd(/3) Ai?(tl(Q),tl(/3)) . 

Here hd and tl are functions on streams that give the head and the tail of a stream. Then one 
can prove that two streams are equal if they satisfy a bisimulation relation. The coinduction 
proof principle thus consists of finding a suitable bisimulation. 

To translate this proof principle into the type theoretic coinduction note that the bisim- 
ulation relation leads to the extensional equality, which in the intensional type theories, 
such as CIC, is quite distinct from the built-in notion of equality. In fact each extensional 
equality should be defined and added to the type system. On the other hand, recall that 
we can only prove by coinduction in Coq if the goal of the proof has a coinductive type. 
This leads us to the following definition for a coinductive extensional equality on streams 
which we denote by =. 

Coinductive = : A"^ ^ A^ ^ Prop : = 

I =c : V(ai 02: A^) , hd ai = hd 02 ^ tl ai = tl 02 -^ 01 = 02- 

Note that =c, the sole constructor of =, has the shape of a bisimulation property. 
The proof that this is an equivalence relation can be found in the standard library of 
Coq |CDT06j . Moreover, Gimenez shows that this is a bisimulation equivalence relation 
and derives the usual principle of coinduction [Gim96t § 4.2]. In the present work we use = 
relation in our coinductive correctness proofs. 

2. HOMOGRAPHIC AND QUADRATIC ALGORITHMS 

The homographic and quadratic algorithms are similar to Gosper's algorithm |Gos72] 
for addition and multiplication on continued fractions and form the basis of the Edalat- 
Potts approach to lazy exact real arithmetic |EP971 IPot98j . 

Here we use a representation which is much simpler than the continued fractions but 
it is redundant enough to ensure productivitjQ. There is nothing special about this rep- 
resentation apart from the fact that it eases the Coq formalisation of the proofs of the 
metric properties that we use in this work, thus giving us a prototype formalisation of the 
algorithms that is concrete and hence can be computed with. A treatment of the general 
case where we abstract away both the digit set and the compact subinterval of [— oo,-|-oo] 
can be found in |Niq04 § 5]. Thus, for practical and presentational purposes, we consider 



a fixed representation for [—1,1] containing 3 digits, each of which a Mobius map. Mohius 
maps are maps of the form 

ax + h 

ex -\- a 
wherqj a, b,c,d G Q. Mobius maps are usually denoted by the matrix of their coefficients. 
A Mobius map is bounded if its denominator does not vanish in [—1, 1]. A Mobius map is 



The necessity of redundancy in the representations for real numbers is studied in the framework of 
computable analysis |WeiOO) but is it outside the scope of the present article. 
Note that we could equivalently take the coefficients to be in Z. 
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\a b' 
Vc d. 



we introduce 



refining if it maps the closed interval [—1,1] into itself. Assuming /i 
two predicates that capture these properties: 

Bounded(/i) := 0<d+c A 0<d-c \l ci+c<0 A (i-c<0 , 

Ref (//) := Bounded(;u) f\ 

{{Xa+h+c+d A {)<a-b-c+d A ^<-a-h+c+d A 0<-a+b-c+d\J 
a+b+c+d<0 A a-b-c+d<0 A -a-b+c+d<0 A -a+&-c+d<0) . 
For our representation, we consider the set DIG = { L, R, M } and denote the set of 



streams of elements of DIG by DIG"^ 

as follows. 



We interpret each digit by a refining Mobius map 



" 1 


-1 " 


2 


2 


1 


3 


_ 2 


2 



R 



1 


1 


2 


2 


-1 


3 


2 


2 



M 



n 01 
1.0 sJ 



In fact under the conjugacy map S{x) = ^;^, these are the conjugates of the Stern- 
Brocot representation for [0, +(X)] presented in |Niq04 § 5.7], hence the fact that DIG"^ 



is a representation for [—1,1] is easily derivable form the properties of the Stern-Brocot 
representation (see also Section H]). 

The homographic algorithm is the algorithm that given a Mobius map /i and a stream 
a G DIG*^ representing r^, outputs a stream 7 that represents r^ such that //(r„) = r^. In 
order to present the homographic algorithm we need an emission condition Incl(/i, (p) for 

a digit (j) 



000 <t>01 

4>io <t>ii 



and /i which checks the inclusion of intervals fi{[—l, 1]) C (/>([— 1, 1]). 

Incl(^,0) := Bounded (/i) A ((i—c)((i—c)((/>oi— 000 ) < (c^— c)(&— a)(0ii— 0io)A 

((i-c)(6-a)(0io+0ii) < (d-c)((i-c)((/)oo+0oi)A 

{d+c){c+d){^oi-(poo) < (d+c)(a+6)(0ii-0io)A 

((i+c)(a+6) (^lo+t/'ii) < (d+c)(c+(i)(</)oo+</'oi) • 

Note that since the above are expressions involving only rational numbers the emission 
condition is a decidable predicate. This enables us to state the homographic algorithm: 

homographic fi (x:: xs) := 

L:: homographic 
R:: homographic 

M:: homographic (M~^o^) (x:: xs) 
homographic /xox 

Here d~^ and o denote the usual matrix inversion and matrix product. The first three 
branches (resp. the last branch) are called emission steps (resp. absorption step). Note 
that due to the redundancy of the representation, the case distinction need not be mutually 
exclusive, but this does not affect the outcome. 

The intuition behind the algorithm is that we start by considering an infinite product 
of Mobius maps, of which all but the first one are digits. We start pushing // towards the 
infinity by absorbing digits (hence obtaining a new refining Mobius map) and emitting digits 
whenever the emission condition holds, i.e., whenever the range of Mobius map applied to 



(L "^ o/i) (x:: xs) 
(R^^ o fi) (x:: xs) 
(M-i 
xs 



if IncI(;U,L) , 
else if Incl(/i, R) 
else if Incl(/i, M) 
other^vise. 
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the interval [—1,1] fits inside the range of a digit. 

^o0qo0|O--- -w 0o(0^ o fj.) o (pQ o (j)i o ■ ■ ■ if Incl(/i, 0) . 

For a more formal semantics for the algorithm see JPEE97J and the semantical proof of 
correctness that is given in |Niq04 § 5.6]. 



To compute binary algebraic operations we consider the quadratic map which is a map 

^ , , axy + bx + cy + d 

?(^'2/ •= r~? — ] n: > 

exy + jx + gy + h 
with a, 6, c, d,e, f,g £ Q and can be denoted by its 2 x 2 x 2 tensor of coefficients. A 
quadratic map is bounded if its denominator does not vanish in [—1, 1] x [—1, 1]. A refining 
quadratic map is a quadratic map ^ such that ^([—1, 1], [—1, 1]) C [—1, 1]. The predicates 
Bounded(^) and Ref (^) can easily be stated in terms of inequalities on rational numbers 
(see Appendix [A|) . 

The quadratic algorithm is an algorithm that given a quadratic map ^ and two streams 
a, /3 E DIC^ representing Tq, and r^, outputs a stream 7 that represents r^ such that 
Ci^a^i^p) = ''""/■ Here too we need a decidable emission condition Incl(^,(/)) that checks the 
inclusion of intervals ^([— 1, 1], [— 1, 1]) C 0([— 1, 1]) for each digit 0; its explicit definition 
is given in Appendix |Al By /i o ,^ we denote the composition of a Mobius map fi and a 
quadratic map ^ (note that the outcome is again a quadratic map). Moreover we use ^ 'i /U 
and ^ "2 /U to denote the two different ways of composing a quadratic map and a Mobius map 
by considering the Mobius map as its first (resp. second) argument. With this notation we 
can present the quadratic algorithm: 

quadratic ^ (x:: xs) {y:: ys) := 

L:: quadratic (L~^o^) [x:: xs) {yv.ys) if Incl(^,L) , 

R:: quadratic (R^^o^) (x:: xs) {y:: ys) else if Incl(^,R) , 

M:: quadratic (M^^o^) {x:: xs) {y::ys) else if Incl(^, M) , 

^quadratic {^*ix •2y) xs ys otherwise. 

The intuition behind this algorithm is similar to the homographic algorithm. The homo- 
graphic algorithm can be used to compute the unary field operation of opposite, while the 

quadratic algorithm can be used for binary field operations of addition, multiplication and 

ri 0" 
Lo 1- 

1, 1]. The quadratic algorithm applied to ^ := [q q q j^ 
is a partial function that will calculate the addition (and also it is productive) if and only 
if the inputs add up to a number within [—1,1]. However, the algorithms can also be 
used to calculate the binary average function and the restricted division that are defined 
in [CDG06]. 

In the present work we do not study the total version of field operations and computa- 
tions on the whole real line. However, we mention that transferring the computation to the 
whole real line is possible. A possibility would be to first move to [0, -|-oo] via the inverse 
of the above conjugacy map. Form here we can follow |Pot98| where a redundant sign bit 
is added by considering a fourth order elliptic Mobius map that leads to a cyclic group 
consisting of four signs for an unbiased exact floating point [Pot98t §9.2]. 



division. Simply taking ^ := [qoo?] it gives the multiplication. Note that addition and 
division are not total functions on [—1, 1]. The quadratic algorithm applied to .^ :— l^" ^ ^ ''^ 
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3. General Corecursive Version of the algorithms 

Algorithms of the previous section specify partial functions into the coinductive type 
of streams. This partiality is problematic for us. Translating these specifications into the 
language of Coq means that we should ensure that the returned value is provably an infinite 
stream, which is obviously not always true for a partial function. The algorithms resemble 
the general shape of the filter algorithm (see Section [T|). Hence, as expected, they do not 
satisfy the guardedness test of Coq, and indeed any other one of the syntactic schemes used 
in the theory of coalgebras. 

The usual way of dealing with partial functions in type theory is to consider them as 
total functions but on a new, restricted domain which corresponds to the values on which 
the partial function is defined. In our case, it is well-known |Pot98| that the algorithms are 
productive if they are applied with refining maps. Proof of this fact is a tedious semantic 
proof that deals with rational intervals. Thus we need to incorporate among the arguments 
of the function an additional argument, a so called proof obligation, that captures the 
property of being refining and hence the semantic proof of the infinitude of the outcome. 
But directly adding the refining property Ref, does not give us enough type theoretic 
machinery because Ref is just a simple propositional predicate that lacks any inductive or 
coinductive structure. 

Instead our proposed proof obligation will have a more complex shape, enabling us to 
use type theoretic tools of structural recursion and coinduction. Later in Section [6] we show 
that our proposed proof obligation is a consequence of Ref. Instead of relying on properties 
of interval inclusion our predicate will rely on the intuitive idea of having an infinite output. 
Such a proof obligation is satisfied if at every step in the algorithm after absorbing a finite 
number of digits the emission condition eventually holds and hence we can output a digit. 
We plan to capture this inside a recursive function that at each step outputs the next digit, 
serving as a modulus for productivity. The original algorithms will then call this function 
at every step to obtain the next digit while keeping track of the new arguments that should 
be passed to future step. This idea is used by Bertot |Ber05b| to give a general method for 
defining filter in Coq. In this section we apply a modification of Bertot's method for our 
algorithms of exact arithmetic. 

3.1. Homographic Algorithm. Let M (resp. T) be the set of Mobius maps (resp. qua- 
dratic maps) in Coqj. We are seeking to define a map /i: M x DIC^ — > DIC^, that 
corresponds to the homographic algorithm. But /i is a partial function and is not produc- 
tive at every point. So instead of defining h we shall define a map 

h: n(;u: M)(a: DlC).P/i(/i,a) — > DIC^ 

where Ph{^,a) is a predicate (i.e., a term of type Prop) with the intended meaning that 
the specification of the homographic algorithm is productive when applied to ^ and a. In 
other words it specifies the domain of the partial function h. We shall call P^ a productivity 
predicate. 

The definition of P^ is based on the modulus of productivity. This modulus is a recursive 
function 

m;, : M X DIC^ — > DIG x M x DlC 



They can be considered as Q* and Q* respectively, forgetting about the refining and nonsingular prop- 
erties. Those properties will enter the picture when we study the correctness of the algorithms. 
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with the intended meaning that mhifJ-, a) = {(p, (//', a')) if and only if 

homographic fi a -^ (j):: homographic fi' a' , 

where '~^' denotes multiple reduction steps after which (p is output (so after output of cj) 
there are no more digits absorbed in /i'). We would like this to be a function with recursive 
calls on a, but this is not possible. The reason is that a has a coinductive type while in the 
structural recursion scheme we need an element with an inductive type. In other words we 
need to accommodate the domain of the function ?n,/j with an inductively defined argument 
which will be used for recursive calls. 

This situation is similar to the case of partial recursive functions or recursive func- 
tions with non-structurally recursive arguments. In order to formalise such function in 
constructive type theory, there is a method of adding an inductive domain predicate intro- 
duced in [DDG98] and extensively developed by Bove and Capretta [BCOlj . According to 
this method we need to define an inductively defined predicate Eh{iJ,,a) with the intended 
meaning that fj, and a are in the domain of ruh which in turn means that the homographic 
algorithm should emit at least one digit when applied on /u and a. Thus, as a first step in 
the definition of the productivity predicate, we define Eh as the following inductive type. 

Inductive Eh'. M ^ DIC^ -^ Prop : = 

|^;,l: V(^:M)(a: DIC^), Incl(/i,L) ^ Eh n a 

1^/,/j: V(//:M)(a: DIG^), Incl(/i,R) ^ Eh n a 

|^,,m: V(^: M)(a: DIC^), IncI(;U,M) ^ Eh fi a 

|^/,a6: V(/i: M)(a: DIC^), Eh (/;xo(hd a)) (tl a) ^ Eh ^l a. 

Here EhL, EhR, EhM and Ehab are constructors of Eh- Note that Eh has one constructor 
for each branch of the homographic algorithm. 

This allows us to define the modulus of productivity, i.e., a recursive function 

mh-. n(^: M)(a: DIG'^).^;,(/i, a) — ^ DIG x M x DIG"" 

as follows. 

Fixpoint m/,(^: M) (a: DIG'^) (t: E^/i ^ a) {struct t}: DIG*(M*DIG'^) : = 
match Incldec(/^)L) with 
I left _^ (L,(L-^o //,«)) 
I right ti^ 

match Incldec(M)R') with 
I left _^ (R, (R"io/i,a)) 
I right tr^ 

match IncI(iec(^)M) with 
I left _^ (M, (M-io/z,a)) 

I right tm^ fuh (/uo(hd a)) (tl a) (E'/iq^Juv fj, a ti tr tm t) 
end 
end 
end. 

Here Fixpoint (resp. struct) are Coq keywords to denote a recursive definition (resp. 
recursive argument of structural recursive calls). Moreover, in the body of the definition 
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two terms Incldec and Ehab-i^'v are used. Both terms can be proven as lemmas in Coq. The 
first lemma is the following. 

Lemma Incldec : V (/x: M) (0: DIG) , Incl(/i, 0) © -^Incl{fi,(f)) . 

This term extracts the informative computational content of the predicate IncI which is 
a term of the type Prop. This is necessary because in CIC one cannot obtain elements of the 
type Set by pattern matching on propositions. Thus we have to use © : Prop x Prop — > Set 
— with left and right its coprojections — to transfer propositions into a boolean sum on 
which we can pattern match. Hence the need for the above lemma is inevitable, although 
its proof is quite trivial. 

The second lemma states an inverse of the last constructor of Efiab in case no emission 
condition holds. 

Lemma Ehab-i^^- V(/x: M) (a: DIC^) , 

-■Incl(^, L) -^ -ilnc^yu, R) -^ -ilncl(ju, M) -^ Eh fj, a ^ 

Eh (^o(hd a)) (tl a). 

This lemma can be proven because Eh is an inductive type and hence all its canonical 
objects should be generated by one of its constructorqj 

Note that in nih the output is independent of the proof t. The term t only serves as 
a catalyst that allows for using recursion where all the other arguments are not inductive. 
Thus we should be able to prove a proof irrelevance result for ruh- 

Lemma 3.1. Let fi G M, a G DIC^ and ti,t2 be two proofs that Eh{n,Q:) holds. Then 

rnh{n,a,ti) =mhin,a,t2) ■ D 

The proof of the above lemma is based on a dependent induction scheme for Eh that 
is more specialised than the usual induction scheme attributed to the inductive types: the 
ordinary induction scheme can be used to prove a property R: M— ^DIG"^— >Prop while the 
dependent induction scheme can be used to prove a property 

R: Uifi: M)(a: DIG'^).^;,(/i, a)^Prop . 

The Lemma [3.11 enables us to prove the fixed point equations of the frih function. These 
are in fact unfolding of the body of the definition of frih', they are crucial for proving similar 
results for the homographic algorithm. Hence we mention them in a lemma here: 

Lemma 3.2. Let fi G M, a G DIG'^ and t be a proof that Eh{fJ,, a) holds. 

(1) // Incl(/x, L) holds then 

rnh{l^,a,t) = {L,{L'^ofi,a)) . 

(2) // -1 Incl(/x, L) but Incl(/x, R) holds then 

m/i(/Li,a,t) = (R, (R"-^o/i,a)) . 



Due to some technical issues with respect to the type theory of Coq, the proof has to be built using a 
specific method that is described in details in |BC04I §15.4]. These issues are out of the scope of the present 
work. 
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(3) If -1 Incl(^, L) and -i Incl(/i, R) but Incl(/i, M) holds then 

mh{^l,a,t) = {M,{M-^o^x,a)) . 

(4) If -ilncl(/x, L), -ilncl(/x, R) and -ilncl(/i, M) holds then for all t' a proof of property 
£'/j(/io(hd(a)),tl(a)) we have 

m/i(^,a,t) = mft(;Uo(hd(a)),tl(a),i') . D 



Note that the last part states a more general fact than just the fourth branch of the 
recursive definition of nih because the proof obligation t' is abstracted. Nevertheless its 
proof is similar to the other three parts. 

Having defined fHh we need one more auxiliary predicate before defining P^- This 
auxiliary predicate is an inductive predicate that ensures that E^ holds for some finite 
iteration of m/^ (here vtjj denotes the i-th projection of a j-tuple). 

Inductive ^/^ : N^ M -^ DIC^ -^ Prop : = 
|^/,o: V(/i: M)(a: DIC) , Eh fi a ^ "^h fJ- a 

|^,,s: V(n:N)(^:M) (a: DIC") {t:Ehf^a), 

*/i n (vr23(m/, /x a t)) (.TT^simh ^i a t)) ^ ^/^ (n+1) /i a. 

We use the above predicate to define Ph, a predicate that captures the productivity of 
the homographic algorithm. This predicate will be an inductive type with one constructor. 

Inductive P/,: M ^ DIC^ -^ Prop : = 

|P,,„b: V(^:M)(a:DIG'^),(V(n:N), -^h (n+1) fi a) ^ Ph fi a. 

The sole constructor of this type ensures that after each emission, which occurs because 
of Efi, the new Mobius map passed to the homographic algorithm results in a new emission. 
This fact is implicit in the following two properties of Ph that are needed in the definition 
of the homographic algorithm. First lemma states the relation between P^ and E^: 

Lemma Ph-Eh'. V(//: M)(a: DIC) , Ph fi a ^ Eh ^l a. 

The second lemma relates ruh and Ph, and shows that Ph is indeed passed to the future 
arguments. 

Lemma m/i_Pfe: V(/i: M)(a: DIG'^)(t:£;/j /i a), 

let /i' : =7r23 (m/i /i a t) in let a':=7r33(m/j fi a t) in 
Ph H a ^ Ph ^i' a' . 

The proof of both of the above lemmas is based on the inverse of the constructors of 
^h ) namely the following lemma which in turn is a consequence of the Lemma 13.11 

Lemma 3.3. For alln let ^eM a£ DIC^. 

(1) If ^h{n, fJ,,a) holds then Eh{fi,a) holds. 
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(2) Let t be a proof that Efi{fj,,a) holds. Then if^^in + l,/i,a) holds then 

^ft(n,7r23("I/i(/i,a,t)),7r33(m?,(/i,a,t))) . D 

Finally we are ready to define the homographic algorithm as a function 

h: n(/z: M)(a: DIG^).P/j(/i,a) — > DIC^ 

that accommodates the proof of its own productivity as one of its arguments. Here the Coq 
keyword CoFixpoint denotes that we are using the COfix rule (see Section [TJ. 

CoFixpoint h (/x: M) (a: DIC^) (p-.P^ n a) : DIC^ : = 
Cons TTnirrih p. a {Ph-Eh fJ- a p)) 

{h iT23{mh ji a {Ph-Eh fJ- a p)) 
TTsaimh A* a (Ph-Eh /x a p)) 
{Mh-Ph M a [Ph-Eh l^ a p) p)) . 

This definition passes the guardedness condition of Coq. Thus we have tackled the 
problem of productivity by changing the function domain and adding a proof obligation. 

3.2. Cofixed Point Equations. Next we show that h satisfies the specification of the 
homographic algorithm. At this point we need to use the extensional equality — on streams 
to prove an extensional proof irrelevance for h. The proof of this lemma uses Lemma l3. 11 

Lemma 3.4. Let jjl E M, a G DIC^ and p,p' he two proofs that Ph{n,a) holds. Then the 
observable outcome ofh is independent of p and p' , i.e., 

h{fi,a,p) = h{fi,a,p) . D 

Subsequently, we use the above lemma together with Lemma [3.2l to prove that h satisfies 
the specification of the homographic algorithm. We call these the cofixed point equations of 
the homographic algorithm because they can be considered as the dual of the fixed point 
equations for recursive functions. 

Lemma 3.5. Let /x E M, a S DIC^ and p be a proof that PhilJ-, a) holds. 

(1) Lf Incl(/u, L) holds then 

h{fi,a,p) = Cons L h(L~'^ofi,a) . 

(2) // -1 Incl(^, L) but Incl(/x, R) holds then 

h{fi,a,p) = Cons R h(R^'^ ofi,a) . 

(3) Lf -1 Incl(/i, L) and -■ IncI(;U, R) but IncI(;U, M) holds then 

h{i^,a,p) = Cons M h{M'^on,a) . 

(4) // -ilncl(/i, L), -ilncl(/i, R) and -ilncl(/x, M) holds then for all p' a proof of property 
-f\(/Uo(hd(a)), tl(a)) we have 

h{fi,a,p) = h{fio{M{a)),t\{a),p') . D 
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Hence we have shown that our function h satisfies the specification of Section [2] and is 
indeed a formahsation of the homographic algorithm. 

So far we have only tackled the formahsation of the homographic algorithm as a pro- 
ductive coinductive map, and not its correctness. As we stated earlier the above algorithm 
(without enforcing any condition on fj,) is not always productive for non-refining Mobius 
maps. It is important to have in mind that we have separated the issue of productivity 
and correctness. This is in accordance with separation of termination and correctness in 
the method of Bove-Capretta for general recursion |BC01] or already in the Hoare logic. 
Moreover, this separation is also evident in the domain theoretic semantics of the real 
numbers |MRE07] . 

In order to prove the correctness we need to define a suitable semantics (for example 
use another model of real numbers) and prove that the effect of the above algorithm, when 
applied with a refining Mobius map, is equivalent to the effect of that Mobius map in [—1, 1]. 
This will be done in Sections (SHSl 

3.3. Quadratic Algorithm. In the case of the quadratic algorithm we follow the same 
method that we used for the homographic algorithm. We start by defining the inductive 
type for the domain of the modulus function. 

Inductive Eg : T ^ DIC^ -^ DIC -^ Prop : = 
|^,l: V(e:T)(a /^iDIC"), Incl(e,L) ^ Eg ^ a (3 
lEgR-.yiC-^na /JiDIG"^), Incl(e,R) ^ Eg i a (5 

|^,Af: V(^T)(a /JiDIC^), Incl(e,M) ^ Eg ^ a P 
l^gab: V(e:T)(a /3: DIC^) , 

Eg (e«i(hd a)).2(hd f3) (tl a) (tl 13) ^ Eg i a (3. 

Using this we define the modulus function by structural recursion on a term of the above 
type. Note that in this case the modulus function Trig returns a quadruple (i;^, (^', {a' , P'))) 
consisting of the emitted digit, the new quadratic map passed to the continuation of the 
quadratic algorithm and the remainder (unabsorbed part) of two the streams of digits. 

Fixpoint m, (^: T) (a /3: DIC) it:Eg ^ a {3) {struct t} 
: DIG*(T*(DIG'^*DIG'^)) : = 

match Incldec('?)L) with 
I left _ ^ (L,(L-ioe,(a,/3))) 
I right tl => 

match Incldec('^;R-) with 

I left _ ^ (L,(R-io^,(a,/3))) 

I right tr =^ 

match Incldcc(C)M) with 
I left _ ^ (L,(M-io^,(a,/3))) 
I right trn ^ rfig (^•i(hd a)).2(hd /3) (tl a) (tl (3) 

(Egab-inv i a f3 tl tr tm t) 
end 
end 
end. 
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Here -EgabJnv is an inverse of the last constructor of the inductive type Eg akin to 
Efiab-inv for the homographic algorithm. Furthermore we have to prove the proof irrelevance 
and the fixed point equations for frlq. For brevity we do not mention them here but their 
statement and proofs can be found in |Niq07a| . 

Next we define the inductive predicate ^q that ensures the validity of Eg for finite 
iterations of mgi 

Inductive l-g : N ^ T ^ DIC^ -^ DIC^ -^ Prop : = 
l*go:V(e:T) (a /3:DIG"), Eg^aP^^gO^ap 
1^55: V(n:N)(e:T) (a /3: DIG"^) (t: Eg ^ a (3) , 

^g "- (.T^2A{mq ^ a (3 t)) {■K^4^(jng ^ a (3 t)) (7r44(mg ^ a f3 t))^ 

^g (n+1) ^ a 13. 



This allows us to define the productivity predicate Pg: 



Inductive Pg : T ^ DIC^ -^ DlC -^ Prop : = 

\Pgab-y(^-T) (a (3:T>IG^), (V (n:N), ^g n ^ a P) -^ Pg ^ a f3 . 

Once again we need to prove two lemmas relating Pg with Eg and m^. 
Lemma Pg.Eg-. V (^ T) (a (3: UIG"^) ,Pg C a p ^ Eg ^ a /3 . 

Lemma mq.Pg: V (^ T) (a /?: DIC^) (t: Eg C a 13) , 

let £,' : =7r24{rng ^ a (3 t) in let a' : =ir34{rnq ^ a (3 t) in 
let /3':=7r44(mg ^ a /? t) in 
Pg C g /3 ^ Pg r g^ /?^ 

Finally we can define the quadratic algorithm as a function into the coinductive type 
of streams 

q: n(^: T){a(3: DIG'^).Pg(^, a,/3) — > DIC 
using the cofixed point operator of Coq: 

CoFixpoint ^ (^ T) ia f3: DIC) ip:Pg ^ a P) : DIC^ : = 

Cons TTulmq i a P {Pq-Eq ^ O P p)) 

(q T^24{rnq i a P {Pq-Eq i a P p)) 

■7r34("^g i a P {Pq-Eq ^ a P p)) 

vr44(mg ^ a P {Pq-Eq ^ a P p)) 
{rrlq-Pq i a P {Pq-Eq i a P p) p)). 

To prove that q satisfies the specification of the quadratic algorithm we first need the 
extensional proof irrelevance: 

Lemma 3.6. Let ^ G T, a, /3 G DIC^ and p,p' he two proofs that Pg{S,,a,P) holds. Then 
the observable outcome of q is independent of p and p' , i.e., 

q{C,a,P,p) ^ q{ta,P,p') . D 

Applying this lemma and the fixed point equations of fHq we can prove the cofixed point 
equations of q. 
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Lemma 3.7. Let ^ G T, a, /5 G DIC^ and p be a proof that Pq{S,, a, 13) holds. 

(1) // Incl(^, L) holds then 

qiC,a,(3,p) ^ Cons L q(L-'oC,a,(3) . 

(2) // ^ Incl(^, L) but Incl(^, R) holds then 

q{ta,(3,p) = Cons R g(R-^o^,a,/3) . 

(3) // ^ Incl(^, L) and ^ Incl(^, R) but Incl(^, M) holds then 

q{^,a,p,p) ^ Cons M g(M-i o^, a,/3) . 

(4) // -ilncl(^, L), -ilncl(^, R) and -ilncl(^, M) holds then for all p' a proof of property 
Pg((e.i(hd(a))).2(hd(/3)),tl(a),tl(/5)) we have 

q{ta,(3,p) ^ g-(e.i(hd(a))).2(hd(/3),tl(a),tl(/3),p') . D 

Hence q agrees with the specification of the quadratic algorithm. 

3.4. General Corecursion? Evidently the method for formalising the quadratic algorithm 
mimics precisely the one used for the homographic algorithm. This suggests that one can 
generalise this method to obtain a scheme in style of |CHL03j for formalising specification 
of partial functions on coinductive types. Such a method would be the dual of the Bove- 
Capretta ^BCOlj for general recursion. For our situation the dual term general corecursion 
seems suitable. In this article we have not developed such a scheme, as our focus lies on the 
special case of exact arithmetic algorithms for the coinductive type of reals. Nevertheless, all 
the intermediate inductive predicates and recursive functions can be obtained by following 
the shape of the specification. Therefore we consider the method to be generic enough for 
formalising arbitrary partial coalgebra maps for strictly positive functors in any category 
modelling CIC. 

In fact the method might work in categories for simpler extensions of Martin-Lof type 
theory. This is because the method does not rely on properties peculiar to CIC; even 
the distinction between Set and Prop is not necessary and we could put all the inductive 
predicates in Set. However, with an eye on program extraction, we prefer to keep the 
distinction between informative and non-informative objects. Note that if we extract the 
function h the argument Ph {n, a) will be discarded, resulting in a function h: Mx DIC^ — > 
DIC^ which is only different from the original specification modulo unfolding (see the 
discussion by Bertot jBer05b| ). 

It remains to be seen whether the method can be applied in categories other than those 
modelling some extensions of Martin-Lof type theory. 

Comparing our method with the one given by Bertot [ Ber05b| we observe that both 
there and in our work the same idea of dualising Bove-Capretta's method is pursued. 
One difference between our work and |Ber05bj is that we consider ^/j to be an inductive 
type while Bertot uses a coinductive predicate FJnfinite. But our predicate Ph (which 
is a wrapper for ^h) and Bertot's FJnfinite seem to be extensionally equal. Moreover 
we need the inductive predicate ^^ to capture the iteration of fuh, a characteristic that 
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does not occur in Bertot's method for filter. This is due to the shght difference between 
the homographic algorithm and the general form of filter function: in the homographic 
algorithm the property Incl is a dynamic property because the Mobius map, being passed 
to future steps of the function, is changing all the time; therefore the property that states 
the productivity should keep track of this. However, by considering a more dynamic form 
of filter, such as the function etreeJIiter introduced in |Niq04 p. 128] it might be possible 



to extend the method of |Ber05bj and apply it in our case. 

Another notable difference is our use of bisimulation equality and the proofs for ex- 
tensional cofixed point equations which are not present in |Ber05bj where instead another 
coinductive predicate is used to describe the connectedness of a stream with respect to a 
given property. 

Finally, we remark that the role of the productivity predicate in our work is reminiscent 
of the f orall function in |Sim98j (which is attributed to Berger). There, this function is 
employed to provide a universal quantifier for total predicates on streams and is used for 
obtaining higher order functions such as the numerical integration. However, this function 
which is the basis for defining other functions in [Sim98j . itself does not satisfy the Coq 
guardedness condition and hence its formalisation in Coq will require additional trickery 
similar to what we did here for our algorithms. On the other hand, in our work the 
productivity predicates are inductively defined data-types rather than functions and hence 
are not hampered by the guardedness condition. It might, however, be possible to combine 
our method with the techniques in |Sim98] for defining higher order functions. 

4. Representation 

As it is the case with all algorithms, 'to prove the correctness' of the homographic and 
quadratic algorithms can point to different concepts: 

(i) To prove that the algorithms satisfy their Haskell-like specification. 

(ii) To prove that the algorithms turn the set DIC^ to a partial field and behave as 

Mobius and quadratic maps on this partial field, 
(iii) To prove that the algorithms correspond to Mobius and quadratic maps on [—1, 1]. 

Concept (i) tantamounts to proving the cofixed point equations and was carried out in 
Section 13.21 Concept (ii) requires that we focus on the field operations (via specific tensors 
for +, x) and prove that they satisfy the algebraic properties of field operations such as 
commutativity and distributivity. Concept (iii) requires the use of a model of real numbers 
and indicates that we will project the algorithm to functions on this standard model. It 
is clear that (iii) is much less work, as we only have to prove the correspondence of the 
algorithms once and can reduce every question on DIC^ to a question on the standard 
model of M. This way we do not have to prove one- by-one the field axioms for DIC^. The 
remainder of this work is based on the concept (iii) . 

To prove that the algorithms are correct in the sense of (iii), first we should prove that 
every stream in DIC^ represents a real number in [—1, 1]. This means that there exists a 
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totajj map p from DIC^ to [—1, 1] such that for all </>o0i • • • G DIC^ we have 

oo 
i=l 

This can be proven by coinduction, but one needs to define a coinductive predicate that 
captures the existence of p. This leads to the following definition for a binary predicate 
rep: DIC^ X [-1, 1] — > Prop with the intended meaning that rep(a,r) holds if /9(a) = {r}. 

Coinductive rep : DIC^ ^ M ^ Prop : = 

I rep^ : V (a /3: DIC^) (r:M), -l<r<l^ 

rep a r ^ /5 = Cons L a ^ rep /5 (r-l)/(r + 3) 
I rep^ : V (a /3: DIC^) (r:M), -l<r<l^ 

rep a r ^ /3 = Cons R a ^ rep /3 (r + l)/(-r + 3) 
I repM : V (a /?: DlC) (r:M), -l<r<l^ 

rep a r ^ /? ^ Cons M a ^ rep /3 r/3. 

The constructors of this coinductive predicate spell out the effect of each digit and as 
such depend on the choice of the digits. However, they can easily be adapted or generalised 
for working with other digit sets. The predicate is similar to the predicate represents of 
Bertot |Ber05at IBerOT] and (to a lesser extent) to the predicate ~' of Hou [Hou06] but has 
a notable difference: the clause /3 = Cons d a that is added to each constructor. The 
purpose of this clause is to facilitate the use of cofixed point equations. Without this clause 
rep would still have the intended topological semantics in terms of p, but it would not be 
usable in the coinductive proof of correctness that we intend to give in the next section. 
The reason is due to the guardedness condition of Coq: even without the = clause in the 
constructors of rep we could find a proof X, by coinduction, for the property that 

^al3r, rep(a, r) ^ a = /? ^ rep(/3, r) . (4.1) 

This is the basic property of rep that should have been enough for the correctness proof. But 
upon rewriting (j4.ip in the course of coinductive proof A of correctness we would violate 
the guardedness condition. This would happen because we would have supplied a recursive 
occurrence of the coinductive proof A which occurs in a subterm of the form 

X Qo /3o ro (rep^ A) 

(where rep^ is a constructor of rep). In such a situation A is guarded by rep^ and X. 
This does not satisfy the guardedness condition because X is itself a cofixed point whose 
expansion takes the coinductive proof A as an argument in its recursive occurrence in a way 
that the guardedness condition is rejected. Using cofixed point equations instead of (14. ip 
we will not land in this situation. Thus we have decided to add the = clause which will 
eliminate the need for ()4.ip and instead use the cofixed point equations in the correctness 
proofs. 

Note that ()4.ip is still a correct statement and can be used in other situations. In fact 
we can use it to prove that the inverse of constructors of rep hold, e.g.: 

3r + 1 
Var, rep(Cons L Q;,r)^rep(a, -) . (4.2) 



In fact DIC^ is a representation which means p is also surjective. This is easily provable [Niq04[ § 5] 
but it is not needed in the correctness proofs for our algorithms. 
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The inversion lemmas in turn are used in proving the hnk between a stream and its 
future tails. Let a„ (resp. a|„) denote the n + 1-st digit of a (resp. the stream obtained 
by dropping the first n digits of a). Then we can prove by induction on n and using the 
inversion lemmas that 

yar, rep(Q,r) ^rep(Q|„,a^li0...a-i(r)) . (4.3) 

To show that rep satisfies its metric property we have to define a function [_] that 
evaluates a stream and obtains the real number which is represented by it (cf. real_value 
in |Ber07j ). In fact this function calculates the limit of converging sequence of shrinking 
intervals that is obtained by successive application of the digits starting from the base 
interval. To be able to define [_] we should show this converging property. This proof is 
directly dependent on the metric properties of the specific digit set that we have chosen. 
Setting cliam([a, b]) = b — a we have to show that 

max{ diam {ct>oo^^o... (Afc_i([-1, 1])) \(pi S DIG } < -^-^y . (4.4) 



This is provable by induction on k |Niq04 Corollary 5.7.9] and it entails that the diam- 



eters of the intervals form a Cauchy sequence, and so do their endpoints. Hence if we 
define lk{a) (resp. Uk{a)) to be the lower bound (resp. upper bound) of the interval 
ao °"i ° • • • afc-i([— 1) 1]) we can definqj 



Note that (14. 4[) can be rewritten as 



|a] = lim li{a) 



yak,Uk{a) - lk{a) < -— — ; (4.5) 

and we can prove (by induction on k) that 

Vofcr, rep(a, r)^r & [/^ (a), life (a)] ; (4.6) 

and hence 

Va/cr, rep(a,r) ^ r G [-1,1] . (4.7) 

Furthermore using the properties of limit we can prove for (p a digit 

icons </. al=0(H) , (4.8) 

He [-1,1] • (4.9) 

Thus we can prove the following by an easy coinduction on the structure of rep. 

Va,rep(Q,H) ■ (4.10) 
Finally we can prove the main properties of rep 

Vor, Jo] = r ^ rep(a,r) ; (4.11) 

Vor, rep(a,r) -^ {a} = r . (4.12) 

The proof of (j4.1ip follows from ()4.10p and (|4.9p while (j4.12p needs in addition some prop- 
erties of the limit. 

Hence we have shown that rep satisfies its intended metric property with respect to the 
map p defined in the beginning of this section. We conclude the section by pointing out 
what rep does not entail. The most important aspect is that our representation DIC^ is an 



Note that we could have equivalently used the upper bounds. 
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admissible representation, i.e., it contains enough redundancy so that the usual computable 
functions are computable with respect to this representation |Niq04 Corollary 5.7.10]. How- 



ever, the = equality does not know anything about this redundancy and it distinguishes the 
two streams representing the same real number. Therefore for two different representations 
ai,a2 of a real number r, there are two different proofs rep(ai,r) and rep(a2,r) that do 
not have any syntactic relation with each other. This, of course, is not an issue for our 
application of rep in the correctness proofs of the next section. 

5. CoiNDucTivE Correctness 

We are going to prove that the homographic and quadratic algorithms correspond to 
Mobius and quadratic maps on [—1, 1] as a subset of the standard model of M. We base our 
correctness proofs on the coinductive predicate rep and we prove that for the functions h 
and q of Section [3] we have 

y^apr, rep(a,r) ^rep(/i(/i,a,p),/i(r)) ; (5.1) 

VCa/3prir2, rep(a,ri) ^ rep(a,r2) ^ rep(g(^,a,/3,p),^(ri,r2)) . (5.2) 

It is clear that once we have proven these, applying the Properties (I4.1ip - (l4.12p of rep, we 
can derive 

\/fiapr, laj=r ^ [/i(/x,a,p)l = n{r) ; 
yCa(3prir2, [a] = n ^ |/3] = r2 ^ lq{C,a, f3,p)j = C{ri,r2) ■ 

Note that these statements require a proof obligation of the productivity predicates 
Pfi and Pq, following our definition of h and q. This means that we prove the correctness 
modulo the existence of proofs of these predicates. In the remainder of this section we show 
how to prove (j5.ip and (j5.2p . 



5.1. Homographic Algorithm. We want to prove (|5.ip . This means that in addition to 
/x, a and r we are also given a proof p of the statement i-/i(/x, a) that ensures the productivity 
of h{fi) at a. We use p to obtain some auxiliary tools that we will need in the proof of 
()5.ip . We will also use the terms that were used in our technique for general corecursion 
(see Section [3]) . First we need a function 

that counts the number of absorption steps before the first (eventually) coming emission 
step. Note the resemblance with the definition of the modulus of productivity m/j. 

Fixpoint 6h (fi: M) (a: BIG'^) (t: Ef, n a) {struct t}:N: = 
match Incldec(/^5L) with 
I left _^ 
I right ti^ 
match IncI(jec(/^)R') with 
I left _^ 
I right tr^ 
match Incldec(^,M) with 
I left _^ 

I right tm^l+Sh (/io(hd a)) (tl a) (Ehab-^'nv fi a U tr tm t) 
end 
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end 
end. 



We will also need to prove the proof irrelevance of 6h (i-e., its value is independent of 
t), its fixed point equation and its relationship with m/j. We state the latter: 

Lemma 5.1. Let /x G M, a G DIC^ and t be a proof that Efi{fj,, a) holds. Then for all n if 
ShifJ-jCtji) = n then there exists 4> S DIG such that 

ruhin, a, t) = {(l),{(p'^ofj,oaoo .. .oon-i, a\n)) ■ qEd 

Then we need to prove that if the value of 5 is n then after n steps emission will occur, 
i.e., the emission condition will be satisfied: 

Lemma 5.2. Let /x G M, a G DIC^ and t he a proof that Efi{fi, a) holds. Then for all n if 
dhifJ-jdji) = n then one of the following three cases always holds. 

(a) Incl(/xoaoo...oan-i,L) A7ri3(m/j(/x,a;,t)) =L ; 

(b) Incl(/ioaoo...oan-i,R) A7ri3(m/j(/x,a,i)) = R ; 

(c) Incl(/xoaoo...oan-i,M) A7ri3(m/i(/x,a,t)) =M . D 

Both lemmas above are proven by induction on n. All this machinery is used in proving 
the following lemma which describes the observable (hence the use of =) situation of the 
homographic algorithm at the moment of emission. It explicitly mentions the new input 
Mobius map passed to the homographic algorithm, the emission condition and the necessary 
proof obligation. 

Lemma 5.3. Let fj, G M, a G DIC^ and p be a proof that PhifJ^, a) holds. Then there exist 
n G N and (f) G DIG that satisfy the following three conditions. 

(1) Phifp'^onoaoo . . .oan_i,a\n) ; 

(2) Incl(/ioaoo...oan_i,(/>) ; 

(3) If p' is a proof that Ph{(j)~^ ofioaQO . . . oa„_i,a|„) holds then 

h{fi,a,p) = Cons (/) h{(f)^ o^oaoo . . . oa„_i,a|„,p') . D 

Finally we need a property of refining Mobius maps whose proof is immediate, but we 
state it explicitly to highlight its use. 

Lemma 5.4. Iflncl{fi,(j)) then (j)~^ o fj, is refining. □ 

Now we have the necessary tools for proving the correctness of the homographic algo- 
rithm: 

Theorem 5.5. Let /i G M, a G DIG'^, r G M and let p be a proof that Ph{fJ,,a) holds. If 
rep(a, r) holds then 

rep(h{n,a,p),i^{r)) . 

Proof. By Lemma 15.31 there exist n, (p and p' such that 

Incl(/ioaoo . . . oan-i, 1?^) , (5-3) 

h{fi,a,p) = Cons (f) h{(t)^ o^oaQO. . . oa„_i,Q;|„,p') . (5-4) 

By Property (j4.3p of rep we have 

'Cep{a\n,a~\o...aQ^{r)) . 



COINDUCTIVE FORMAL REASONING IN EXACT REAL ARITHMETIC 23 

Whence by coinduction applied to 

Q-c ■= a\n Pc -■=V , 

we obtain rep(h{fic,ac,Pc), fJ-drc)), i-e., 

rep(/i(0"-^o^oaoo . . . oan-i,a\n,p'),4>^^ofj,oaoo . . . oan-ioa:^\o . . . OQ-^^r)) . (5.5) 

Let ri := iJ,c°Cin-i° ■ ■ -dQ {f)- According to Lemma [5^ from (j5.3p it follows that /ic 
is refining. Note that by Properties ()4.7p and (14. 3p of rep we have 

a-\o . . . a^^ {r) £ [-1,1] ; 

and thus according to the refining property ri € [—1, 1]. 

From here and (j5.5p . according to the statement of the constructor rep^ of rep applied 
to ri and 

h{n,a,p) ; 

we obtain 

rep{h{fi,a,p),(j){4>^^oHoaoo...oan-ioa:^\o...aQ^{r))) ; (5.6) 

(note that (j5.4p satisfies the = clause in rep^). 

Finally, by simple rewriting and cancelling out the inverse matrices in (j5.6p we obtain 
the conclusion: 

rep(/i(/i, a,p), (p{(l)'^ofioaoo . . . oan-ioa~^^o . . . aQ^{r))) 

= rep(h{n, a,p), (pocp^^ofioaoo . . . oa„_ioa;;^^o . . . aQ^{r)) 

= rep(/i(/i,a,p),/x(r)) . 

n 

5.2. Quadratic Algorithm. The procedure for the correctness of the quadratic algorithm 
is quite similar to the case of the homographic algorithm, only the proof itself is more 
meticulous. First we define a function 6q: U{^: T)(a, /3: DIG'^).£'g(^, a,/3) — > N that 
outputs the number of steps to the next emission step. We can prove the properties similar 
to those of Sh- 

The main auxiliary lemma in this case is the following. 

Lemma 5.6. Let ^ G T,a,/3 G DIC^ and p be a proof that Pq{^,a,f3) holds. Then there 
exist n G N and (f) G DIG that satisfy the following three conditions. 

(1) Pq{<i)~^o^{aQO . . .oan-i,l3oo . . .ol3n-i),a\n,l3\n) ; 

(2) Incl(^(aoo...oan-i,/3oo...o/3n_i),0) ; 

(3) If p' is a proof that Pq{cj)^^o^{aoo . . . oun-i, Pqo . . . of3n-i),Oi\n, (3\n) holds, then 

q{C,a,j3,p) = Cons (p q{(l)'^o^{aoo... oan-i, Pqo... oPn-i), a\n, (3\n,P ) ■ D 



24 M. NIQUI 



Note that (^{aoo . . .oan-i, Pqo . . .oPn-i) denotes the new tensor after n absorption 
steps, i.e., after n apphcations of "i and •2- 

We also need a result on refining tensors which is immediately provable from the defi- 
nition of refining and Incl. 

Lemma 5.7. IfIncl{S,,(p) then (p~^o^ is a refining tensor. □ 

From these we can prove the correctness of the quadratic algorithm. In particular 
we do not need any additional property of rep apart from those that were used for the 
homographic algorithm. The proof is quite similar to the proof of Theorem 15.51 and is 
formalised in Coq |Niq07a| , and so we do not detail the proof here. 

Theorem 5.8. Let ^ £ T, a, f3 G DIC^, ri,r2 S M and let p be a proof that Pq{^,a,f3) 
holds. //rep(a,ri) and rep{f3,r2) hold then 

rep(g(e,a,/?,p),e(n,r2)) . D 

Note that the above theorems require the existence of proofs for productivity statements 
Ph and Pq. Deriving this property depends on the specific metric properties of each tensor 
and Mobius map. Next we should prove that for refining maps we can dispose of these 
productivity predicates. 

6. Final step: Refining, Productivity and Topological Correctness 

So far we have shown that the homographic and quadratic algorithms are 'correct' 
modulo the existence of the productivity predicates Ph and Pq. In this section we will prove 
that if a Mobius map (resp. quadratic map) is refining then irrespective of the used input 
stream(s) the property P^ (resp. Pq) is always satisfied. 

being refining in enough to ensure the correctness. In light of Theorems I5.5fl5.81 fhis 
will entail that for refining maps the homographic and quadratic algorithms correspond to 
Mobius and quadratic maps on [—1, 1]. This is the final step in the correctness proof of the 
algorithm. We call this the topological correctness of the algorithms. The reason is that (1) 
it shows that Ref which is a purely metric property is enough to ensure the correctness and 
the (2) proofs are based on continuity arguments. It will also show that our type theoretic 
approach of dealing with general corecursion has been sound with respect to the metric 
semantics of the algorithms. 

6.1. Homographic Algorithm. The productivity predicate Ph is the latest in a chain 
of type theoretic auxiliary predicates and functions Eh,rnh and ^h- By examining these 
predicates we observe that the only topological notion appears in the type of the constructors 
of Eh, in the form of the emission condition. We should follow this link to obtain the 
productivity predicate for a refining Mobius map. 

First we state some elementary properties of the interval predicates that we introduced 
in Section [2j We omit the proofs which are trivial case distinctions on comparisons of the 
end points of the intervals. 

Lemma 6.1. Let fi be a Mobius map. 

(1) fi is bounded (i.e., its denominator does not vanish in [—1, 1]) if and only if the property 
Bounded(/i) holds. 

(2) fi is refining (i.e., it maps [—1,1] into itself) if and only i/Ref(/i) holds. 
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(3) If fj, is bounded and for each r (^ [—1,1], fi{r) ^ [—1,0] thenIncl{ii,'L). 

(4) If fj, is bounded and for each r € [—1, 1], /i(r) € [0, 1] then Incl(^, R). 

(5) If fi is bounded and for each r € [—1, 1], /i(r) G [^, g] then Incl(;U,M). □ 

This lemma ensures us that we can comfortably work with the predicates Ref and 
Bounded to prove results about refining maps. An easily provable consequence of the 
above lemma is the following. 

Lemma 6.2. Let /ii and ^2 be Mobius maps. 

(1) /f Bounded(^i) and Ref (;U2) i/ien Bounded (/^i 0^2) • 

(2) //Ref(/xi) and Ref (//2) then Hef {^i o ij.2) . D 

Given a refining Mobius map ;U, we define the diameter of /i to be 

diam(/i) = |/i(-l)-Ml)l • 

Next we need a metric property of the representation, which measures the amount of 
the redundancy of the representation. For any set of $ of refining Mobius maps we define 

red($) = min{ |</.i(-l) - (A,-(l)||0i, 0, G DIG, (/-^(-l) y^ (^^{1) }. 

The above definition is based on the intuitive idea that the more overlap between ranges of 
the digits, the more choices one has for representing real numbers. The intended meaning is 
that for two digit sets <l>i and $2, with the same number of elements, if red(<l>i) > red(<l>2) 
then $1 has more redundancy. Note that this intended meaning does not work for adding 
extra digits (which decreases red) but rather for comparing the redundancy of two digits 
sets with the same number of digits. 
Clearly 

red(L,R,M) = ^ . 

Then using this quantity we state and prove the following lemma that shows that for 
refining Mobius maps with sufficiently small diameter the emission condition holds. 

Lemma 6.3. If fi is a refining Mobius map and diam(/i) < ^ = red(L,R, M) then there 
exists (j) G DIG such that Incl(/i, (p). 

Proof. The proof uses Lemma I5.1l3f t5t and case distinction on comparison of /i( — 1) and 
/x(l) with L(l) = R(-l) = 0,M(-1) = ^ and M(l) = \. D 

At this point the following question arises: can we decrease the diameter of an arbitrary 
refining Mobius maps by repeated absorption in a way that it becomes less than 1/3? The 
answer is positive. First we should assess the diameter of the product of two Mobius maps 
because an absorption step is nothing but a product with a digit. Hence we prove the 
following lemma. 

Lemma 6.4. Let /^i = [c d] be a refining Mobius map. 
(1) -(//U2 is a refining Mobius map, then 

diam(;U2) ■[ det /ui| 



diam(/ii 0^2) 



|(c/X2(-l)+(i)(c/X2(l) + d)| 
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(2) //aGDlC, then 

diam(/iOQ;oo . . . oan-i] 



{unja) - Inja)) ■ |det/ii| 
|(c • Un{a) + d){c ■ ln{a) + d)\ 



Proof. (1) Note that by Lemma 16.2121 the product is refining and thus the left hand side is 

weU-defined. The identity follows by straightforward calculation (See [Hec02j). 
(2) Since all the digits are refining, we can apply part ([T|) with ^2 := oo° ■ • • oan-i- D 

Next we can prove that after finitely many absorption steps the emitting condition 
holds and thus the algorithm is 'informally' productive. 

Theorem 6.5. Let ^ = [" d] be a refining Mobius map and a € DIC^. Then there exist 
n G N and (j) G DIG such that Incl(;UOQ!oo . . . oan-i^ (p) holds. 

1 



Proof. Let X := max(' 



c+d\ ' \d-c\ 



and take 

[6- Idet^l -X^] 



n 



(6.1) 

(here we take the ceiling using the Archimedean property of Q). 

Note that since fj, is refining then it is bounded and hence [^ ^1 is bounded and mono- 
tone in [—1, 1]. Thus for all x G [— 1, 1] we have 

<X . (6.2) 



On that account we calculate: 

diam(/xoaoo . . . oon-i) 



\cx + d\ 
(u„(a) -ln{a)) ■ Idet^l 



|(c • Un{a) + d){c ■ ln{oi) + d)\ 

< X ■ {Un{a) — ln{ci)) ' | dct fl\ 

2-X^ ■ |det//| 



< 

1 
<3 



n + 1 



by Lemma 16.4121 
by dOD 
by (I43D 

by dSH). 



D 



Hence we can apply Lemma 16.31 and obtain cf) as required. 

The above existential theorem gives us a pair of witnesses (n, (j)), but we would like to 
make the canonical choice of the smallest such witness. This is possible because we are 
dealing with a decidable predicate Incl (see Incldec)) on the well-founded set N x DIG. 
The idea is that once we have a witness we can perform a search bounded by this witness 
to obtain the smallest witness. This can be summarised as the following result. 

Lemma 6.6. Let fi be a refining Mobius map and a G DIG"^. Then there exist n G N and 
(j) G DIG such that the following two conditions hold. 

(1) Incl(/ioaoo...oan_i,(/>) ; 

(2) V?7i < nVi?!>', -ilncl(/ioaoo . . . oam-i, </*') ■ 

At this point we are ready to embark on proving our type theoretic predicates. First 
we prove that being refining implies that Eh holds. 

Lemma 6.7. Let ^ be a refining Mobius map and a G DIG"^. Then Efi(n,a) holds. 
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Proof. Assume n is obtained by applying Lemnia [6.6l to fi and a. We proceed by inductioiij 
on n. If n = then Incl(|U, (j)) should hold for some (j) and we can apply the corresponding 
constructor of Eh among EhL,Ehji and EhM- 

Now assume we have proven the conclusion for all refining maps for which the witness 
given by Lemma 16.61 is k and n = k + 1. Note that for fj,oao and a\i the witness given by 
Lemma 16.61 must be k. Therefore by induction hypothesis we have 

Eh{lJ-°ao,a\i) . (6.3) 

Since < k we know by Lemma 16.6121 that Incl(;U, (/)) does not hold for any (f), i.e. 

^Incl(/i,L) , ^Incl(/x,R) , ^Incl(/i,M) . (6.4) 

Consequently, we can apply the constructor E^ab to (|6.4p and (|6.3p to obtain a proof 

ofEhifJ.,a). n 

Next we need two technical lemmas for relating the refining property with the two 
auxiliary functions 6h (Section l5.ip and nih (Section IS.ip . 

Lemma 6.8. Let ^ be a refining Mobius map and a € DIC^. Let n be given by applying 
Lemma [K6\ to fi and a. Let to be the proof given by Lemma \67^ that Eh{n, a) holds. Then 

6h{lJ',a,to) = n . 



Proof. By induction on n. For n = by Lemma 16.6111 Incl(^, a) should hold for some (j), 
and the conclusion follows from the definition of 5^. 

Now assume we have proven the conclusion for all refining maps for which the witness 
given by Lemma 16.61 is k and n = k + 1. Applying the induction hypothesis to /uoag and 
a|i we obtain 

^/i(/ioao,a|i,ii) = k , (6.5) 

where ti is the proof given by Lemma 16.71 for 

-Eh(//oao,a|i) . 
Furthermore since < A; by Lemma 16.6121 

-.Incl(//,L) , -.Incl(//,R) , -.Incl(/i,M) . 
From here together with the definition of 8^ and (j6.5p we obtain 

'5h{li.,a,tQ)=lih{lioao,a\i,ti) + l = k + l = n . D 

Lemma 6.9. Let fi be a refining Mobius map and a E DIC^. Let to be the proof given by 
Lemma \6. 7| that Eh {p, a) holds. Letrnh{fi,a,to) := (</>, (/i', a')). Then n' is refining. 

Proof. Let n be obtained by applying Lemma 16.61 to fi and a. By Lemma 16.81 we have 

'6h{tJ;a,to) = n . (6.6) 

Hence by applying Lemma l5. II to ^,a,to and n we obtain a digit (p' such that 

mhifJ.,a,to) = {(l)',{(l)'~^ofj,oaoo...oan-i,a\n)) 

Hence 

(j) = (f) , ^ = (p^ ofioaoo ■ ■ ■ oa„_i . 



This might seem odd, as n is a witness given to us; nevertheless we can carry out induction for a universal 
property for any m such that m = n. 
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Note that the inverse of digits are not refining, so we cannot use Lemma 16.21 to prove that 
fi' is refining. But instead we apply Lemma |5.4[ So we have to show that Incl(|u', </>). But 
this is evident by applying Lemma 15.21 to (j6.6p . D 

Finally, we prove that being refining implies ^h, which is the crux of the productivity 
property that we used for defining the homographic algorithm. 

Lemma 6.10. Let n E N, /x 6e a refining Mobius map and a G DIC^. Then ^h{n, fJ-,a) 
holds. 

Proof. By induction on n. If n = then by Lemma 16.71 we know that Eh{fi,a) holds, and 
hence we can apply the constructor ^^o to obtain the conclusion. Assume the conclusion 
holds for n = k and arbitrary refining Mobius maps. Let to be the specific proof given by 
Lemma [6771 that Eh{ij,,a) holds, and let 

rnh{fJ-,a,to) := (0, (/i',a')) . 

Due to our choice of to, by Lemma 16.91 it follows that /x' is refining. Thus we can apply the 
induction hypothesis to /x' and a' to obtain a proof of ^hik, fx' , a') which can be rewritten 
as: 

^h(fc,vr23(m,i(/i,a,to)),vr33(m,,(/x,a,to))) • (6.7) 

Hence by applying the constructor "ifhs to fi, a, to and ()6.7|) the result follows. D 

As a corollary we obtain the main result of this section. This states that the purely 
topological property Ref entails the type theoretic productivity predicate Ph which we had 
added to satisfy the guardedness condition of Coq. 

Corollary 6.11. Let fi be a refining Mobius map and a G DIC^. Then Ph{p,a) holds. 

6.2. Quadratic Algorithm. We should prove that if a quadratic map is refining then the 
predicates Eg, ^g and Pg hold. We follow the same route as for the homographic algorithm 
to prove the counterpart of Theorem l6.5i There we defined the diameter of a refining Mobius 
map and calculated a uniform upper bound for it after finite absorption steps. Here the 
situation is slightly more complicated, because when assessing the eff^ect of a quadratic map 
on two intervals (one for each argument) we should examine the values at 4 corners of the 
Cartesian product. So already the definition of the diameter will be slightly different. But 
first we state the properties of the interval predicates for a quadratic map (see Appendix lAl 
for the definitions), which are again provable by straightforward case analysis. 

Lemma 6.12. Let ^ be a quadratic map. 

(1) ^ is bounded (i.e., its denominator does not vanish in [—1,1] x [— l,l]j if and only if 
Bounded(^) holds. 

(2) ^ is refining (i.e., it maps [—1,1] x [—1,1] into itself) if and only i/Ref(^) holds. 

(3) If ^ is bounded and for each ri,r2 G [—1,1], ^(rl,r2) G [—1,0] then Incl(^,L). 

(4) //^ is bounded and for each ri,r2 G [—1,1], ^(rl,r2) G [0,1] then Incl(^,R). 

(5) If ^ is bounded and for eachri,r2 G [—1,1], .^(rl,r2) G [-j-, |] i/ien Incl(^, M). D 

Recall that there were two ways of composing a quadratic map and a Mobius map. 
Using the lemma above we can derive the following about these two products. 

Lemma 6.13. Let ^ be a quadratic map and fii and ^2 be Mobius maps. 

(1) //Bounded(^), Ref(/ii) and Ref (/X2) t/ien Bounded(,^ •! /ii "2 /X2) . 

(2) //Ref (0, Ref (/xi) and Ref (/i2) t/ien Ref (^.i^ui -2 /i2) • D 
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Note that for a refining quadratic map ^, C([— 1, 1], -) is a function on subintervals of 
[—1,1]. We define the diameter of ^ on rational subintervals [xo,yo] and [xi,yi] of [—1,1] 
to be 

diam2(^, [xo,yo],[xi,yi]) = [min(roo,roi,rio,rii),max(roo,roi,rio,rii)] , 

where 



r r'oo '"01 ■ 

L-rio rii _ 



We will usually use diam2(C) [-1) 1]) [-Ij 1]) however in some intermediate steps of the 
proofs we sometimes have to invoke diameter for other rational subintervals. Again we can 
prove a lemma relating the diameter, redundancy and Incl. 

Lemma 6.14. If ^ is a refining quadratic map for which diam2(^, [-1, 1], [-1, 1]) < 3 = 
red(L, R, M) then there exists cj) G DIG such that Incl(^, 1?!)). 

Proof. If '^([— 1, 1], [—1, 1]) = [a;, y], we consider the following three cases. 

If y < : Incl(^, L) by Lemma [6l2l3] , 

else if < X : Incl(^, R) by Lemma [6l2ll , 

otherwise: Incl(^,M) bv Lemma 16. 12151 . D 

Unlike what we did in Lemma [631 here we cannot find a closed formula for the diameter 
of the product of a quadratic map and two Mobius maps. We should find another way of 
ensuring that in the absorption steps the diameter can become smaller than 1/3. At the 
first glance it seems that we really have to prove the uniform continuity of quadratic map 
considered as a binary function on rational numbers, but careful examination of the proof 
of Theorem 16.51 shows that the pointwise continuity could be enough. Thus we prove the 
following lemma. 

Lemma 6.15. Let ^ be a refining quadratic map. Then for a// < e G Q^ there exist 
< "i^Oi"*?! € Q^ such that for all XQ,xi,yo,yi € [—1, 1] if \xo — xi\ < "i^o o,iT'd \yo — yi\ < ^i 
then 

\i{xo,yo) -^{xi,yi)\ < e . 

Proof. This is equivalent to the continuity of a refining (and hence bounded) quadratic map 

on [-1,1] X [-1,1]. D 

As a corollary we can locally bound the diameter of a refining quadratic map: 

Corollary 6.16. Let ^ he a refining quadratic map. Then for all < e (z Q^ there exist 
< ■i?05 ^1 £ Q^ such that for all xq, xi,yo, yi G [—1, 1] if \xq — xi\ < ■i?o o.nd \yo — yi\ < ■(?! 
then 

diam2(C, [xo,yo], [xi,yi]) < e . 

At this point we are ready to state and prove the counterpart of Theorem 16. 5^ that 
ensures the flow of emission steps after a finite number of absorption steps. 

Theorem 6.17. Let ^ he a refining quadratic map and a, (3 a DIC^. Then there exist 
n G N and (j) G DIG such that Incl(^(aoo . . . oa^.i, /Jqo . . . of3n-i)^ <P) holds. 

Proof. Let '&o,'di be given by applying Corollarv l6.16l to e = 1/3. Take 

n:=max([A]J^]) . 
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Let 

xq := ln{a) , yo := LiP) , xi := u„(a) , yi := n„(/3) 

Note that due to (j4.5p we have 

2 2 

|a;o - 2;i| < — — - , \yo-yi\ < 



n + 1 n + 1 

From here together with Corollary 16.161 for XQ,xi,yQ and yi we obtain 

diam2(^, [xo,yo],[xi,yi]) < - . (6.8) 

But an easy calculation shows that 
diam2(^, [xq, yo], [xi, yi]) = diam2(^, aoo . . . oan-i[-l, l],f3oo... o/?n_i[-l, 1]) 

= diam2(^(aoo.--oan-i,/3oo-..o/3„-i),[-l,l],[-l,l]) • (6.9) 
Therefore we can apply Lemma 16.141 with (j6.8|) and (|6.9|) to obtain the desired digit <j). □ 

The above proof is based on the pointwise continuity of refining quadratic maps. Of 
course we can find a uniform bound to be applied in the proof of the algorithm, but that 
would require a formalisation of the bivariate version of the Heine-Borel theorem. For our 
purpose the above proof suffices, because it gives us a witness which we will use in a bounded 
search for finding the smallest such witness. Furthermore, the pointwise continuity gives a 
finer estimate of the complexity of the algorithm, but we will not pursue this matter here. 
Results concerning the complexity of these algorithms can be found in |Hec98t[Krz01| . 

The discrepancy between the homographic algorithm and the quadratic algorithm ends 
here. This means that the remaining steps for deriving the productivity predicate Pq for 
the refining quadratic maps is essentially the same as those for the homographic algorithm. 
Therefore we only present the three important statements here, and we refrain from repeat- 
ing the arguments. The proofs can be consulted in the formalisation package |Niq07a| . 

Lemma 6.18. Let ^ be a refining quadratic map and a, (3 £ DIG^. Then Eq{^,a, (3) holds. 

Lemma 6.19. Let n G N, ^ 6e a refining quadratic map and a,(3 (z DIC^. Then 
'^q{n,S,,a, (3) holds. 

Corollary 6.20. Let ^ he a refining quadratic map and a, (3 £ DIG"^. Then Pq{^,a,(3) 
holds. 

As expected the productivity predicate Pq, being a local property of the domain of 
the algorithm gives a finer description of the domain of the algorithm. For example the 
addition tensor is not refining on [—1,1] but the quadratic algorithm applied with the 
addition tensor is productive for a,/3 G [—4)4]- However, if we transfer the computations 
to the entire real line by adding a redundant sign bit, then the refining quadratic maps are 
enough for calculating elementary functions |Pot98] . 

7. Reexamining The Method 

We can outline the path that we followed in this article in the following steps. 

(1) Implementing algorithms in type theoretic language. 

(2) Proving that they satisfy their Haskell-like specification. 

(3) Proving that the algorithms correspond to partial Mobius and quadratic maps on [—1,1]: 
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(a) They are total on those subsets of MxDIC^ and TxDIC^ for which the produc- 
tivity predicates Ph and Pg hold. 

(b) They are total on the subsets of M and T containing refining maps. 

There are different aspects of the proofs in each of these phases that we would like to 
clarify. 

Dependence on Representation. None of the steps above depend on the representation, 
although the specific proofs about this representation, as well as our choice of the base 
interval appeared frequently in our reasoning. In [Niq04 , Chapter 5] we show that as long 



as a representation satisfies a few properties with respect to the effect of its digits on the 
chosen base interval, it will not affect the productivity and thus correctness behaviour of 
the algorithms. For example for any such representation and for any choice of base interval 
we can derive a counterpart of (|4.5p — with a different bound — and Lemma [6. 41 1[ 

Type Theoretic vs. Topological Properties. We pointed out this correlation through- 
out the article. Here we summarise it for all the above steps. Step [1] above is purely type 
theoretic. It simply consist of writing a function parametrised by a proof obligation that 
passes the type checking in the functional programming language of Coq. The proofs (proof 
irrelevance lemmas and termination certificates) are objects that are meaningful and ex- 
pressible in a framework where dependent types and (co)inductive types exist. These proofs 
ensure an initial layer of correctness: that the input and output have the right type and 
whether the algorithms are productive for given inputs. One could say that in this step the 
domain and codomain of the algorithms are described. 

Step [2] is the first phase in proving correctness with respect to the intended semantics, 
but it still has a purely type theoretic nature. The proofs are based on working with bisim- 
ulation and deriving cofixed point equations for the algorithms. They relate the algorithms 
to their specification written in a more liberal functional programming (e.g. Haskell), where 
termination and productivity are not hampering us. 

Step [3] possesses both type-theoretic and topological elements. In Step [3a] this is best 
captured in the relationship between rep (a type theoretic predicate) and |_] (a purely 
topological operation). While in Step [3b] the topological aspects dealing with the pointwise 
continuity of the underlying maps are dominant. Still we can observe that Lemmas 16. 7116. 11] 
resort to type theoretic properties such as proof irrelevance and termination certificates. The 
correlation of these two aspects is highlighted in the final propositions about the purely met- 
ric property Ref and the productivity predicates that were required for the type-checking 
in Step[TJ 

Statistics on Formalisation. Finally we present some of the statistics pertaining to the 
formalised algorithms. They indicate the size (in kilobytes) and length (in number of lines Ti 
of the ASCII code of the formalisation. 

In Table [1] we present the relative size of the formalisation work for each of the above 
steps. We also add a separate category (last row) for parts of the formalisation that included 
general results about digits, Mobius maps, quadratic maps and several interval predicates. 
In Table [2] we take an alternative viewpoint and present the statistics for each algorithm 
separately. The first row (digits) denotes the part that was common to both algorithms. 



Number of lines is obtained using the command coqwc which disregards the commented and blank hues. 
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The last column gives the size of the Haskell program that is obtained by using the program 
extraction mechanism of Coq JCDT061 §18]. 



Step 


Size (percentage of total) 


Length 


Stepd] 


27 K (5.5%) 


529 lines 


Step [2] 


8 K (1.6%) 


166 lines 


Step I3al 


111 K (23.4%) 


2099 lines 


Step [HE 


62 K (12.9%) 


1107 lines 


General facts 


268 K (56.3%) 


4596 lines 


Total 


475 K (100%) 


8497 lines 



Table 1: Various phases of the formalisation. 



task 


size 


lines 


extracted Haskell 


digits 


128 K 


2541 lines 


51 lines 


homographic 


147 K 


2845 lines 


61 lines 


quadratic 


200 K 


3111 lines 


126 hues 


Total 


475 K 


8497 lines 


238 lines 



Table 2: Relative size of proofs and programs for different algorithms. 

The presented statistics provide a good indication of the state of the art in formalising 
mathematical results and verifying algorithms. However, (and fortunately) these statistics 
are likely to be outdated as new versions of Coq featuring more automation tools will become 
available. 



8. Conclusions and Further Work 

We have shown the correctness of the homographic and quadratic algorithms on a 
stream representation of real numbers in [—1,1]. Following the general set-up of |Niq04 



§ 5] the method is easily extensible to any admissible digit set for any compact proper 
subinterval of the extended real numbers [— oo, +oo]. Our correctness proofs use an inductive 
productivity predicate and a coinductive predicate rep that relates DIC^ and [—1, 1]. We 
use the coinductive machinery of the Coq proof assistant to formalise functions on infinite 
objects and coinductive proofs. In particular we base our treatment of coinductive functions 
on their cofixed point equations. These exploit the inherent infinite nature of streams by 
adhering to = which is a bisimulation relation and is more suitable than the inductive 
(Leibniz) equality. The coinductive arguments themselves are independent of Coq and can 
be formalised in any proof assistant that accommodates coinductive types. Furthermore we 
prove — in Coq — that for the class of Mobius and quadratic maps that satisfy a metric 
property (being refining), the homographic and quadratic algorithms will output provably 
infinite streams for any input. 

Among several perceivable directions for the future work, the more immediate one would 
be to continue the Coq formalisation of the algorithms, by developing a fully modular 
framework that axiomatises the properties of representations and refining maps that are 
needed for the formalisation. Each specific representation would then be portable into our 
formalisation if a suitable interface is satisfied. This will pave the way for applying our 
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formalisation to more efficient representations such as the one used by Edalat-Potts |EP97] 
or the ternary one used in |CDG06l IHou06l IBerOTllMREOT] . 

The big picture would be to continue working on the formahsation of the Edalat-Potts 
framework for exact real arithmetic. The homographic and quadratic algorithm are the 
base case of Edalat and Potts' normalisation algorithm which is defined on the coinductive 
type of expression trees [EP971 IPot98| . Therefore if we could apply the method of this 
article to formalise and verify this algorithm we could obtain all the elementary functions. 
Unfortunately this does not seem to be possible: the difficulty lies in the general corecursion 
used in the normalisation algorithm, The method of the Section [3] needs a more complicated 
machinery than that of CIC to be applicable to the normalisation algorithm. This is because 
the normalisation algorithm is a nested algorithm and therefore applying our method the 
modulus of productivity m/j will be a nested function too. It is well-known that applying 
Bove-Capretta method for formalising nested recursive functions requires the presence of 
inductive-recursive types [BCOll DybOO| . In this case the inductive domain predicate will 



become an inductive-recursive predicate that is defined simultaneously with the nested 
function. A similar phenomenon happens in our method, in the sense that we need a 
notion similar to induction-recursion that would allow for the simultaneous definition of an 
inductive predicate together with a cofixed point. The author is exploring the possibility 
of defining such a notion. Recent work by Setzer on combining induction-recursion and 
general recursion seems to open up new possibilities for our work in this directions |Set06] . 
One can contemplate of adapting and generalising our method for lazy exact arithmetic 
algorithms beyond the Edalat-Potts algorithm. One starting point in this direction would 
be to follow the technique used in [Sim98j (see also Section 13. 4p for obtaining higher order 
functions on real numbers such as the numerical integration. 
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Appendix A. Interval Predicates for Quadratic Algorithm 



Let ^ = [e^fgh] be a quadratic map and 



000 001 
000 001 



G DIG. Then: 



Bounded(^) := {0<e+f+g+h A 0<e-f-g+h A 0<-e-f+g+h A 0<-e+f-g+h \/ 
e+f+g+h<0 A e-f-g+h<0 A -e-f+g+h<0 A -e+f-g+h<0) ; 



Ref (^) := Bounded(0 /\ 

^0<a+b+c+d+e+f+g+h A 0<-a-b-c-d+e+f+g+hA 
0<a-b-c+d+e-f-g+h A 0<-a+b+c-d+e-f-g+hA 
0<-a-b+c+d-e-f+g+h A 0<a+b-c-d-e-f+g+hA 

0<-a+b-c+d-e+f-g+h A 0<a-b+c-d-e+f-g+h \J 
a+b+c+d+e+f+g+h<0 A -a-b-c-d+e+f+g+h<OA 
a-b-c+d+e-f-g+h<0 A -a+6+c-(i+e-/-s'+/i<0A 
-a-b+c+d-e-f+g+h<0 A a+6-c-d-e-/+5+/i<0A 

-a+6-c+d-e+/-5r+/i<0 A a-b+c-d-e+f-g+h<0 



Incl(^, (/)) := Bounded(^) A 

{e-f-g+h){e-f-g+h){(t>oi-(t)oo)<{e-f-g+h){a-b-c+d){(t)n-4>io)/\ 
{e-f-g+h){a-b-c+d){^io+(t>u)<{e-f-g+h){e-f-g+h){(l)oo+^oi)A 
{-e-f+g+h){-e-f+g+h){^oi-^oo)<{-e-f+g+h){-a-b+c+d){<Pu-(l)io)A 

{-e-f+g+h){-a-b+c+d){(j)io+(j)n)<{-e-f+g+h){-e-f+g+h){(l)oo+(t)oi)/\ 
{-e+f-g+h){-e+f-g+h){(Poi-^oo)<{-e+f-g+h){-a+b-c+d){(t>u-(l)io)A 
{-e+f-g+h){-a+b-c+d){(l)io+(j)n)<{-e+f-g+h){-e+f-g+h){(l)oo+(t)oi)A 
{e+f+g+h){e+f+g+h){(l)oi-(t)oo)<{e+f+g+h){a+b+c+d){^n-(pio)/\ 
{e+f+g+h){a+b+c+d){(l)io+(t)n)<{e+f+g+h){e+f+g+h){^oo+M ■ 

Appendix B. Correspondence with the formalised Coq files. 

In the following table we present the correspondence between the terms and lemmas in 
the article and their formalised version in |Niq07a| . In the second column f oo .bar refers to 
the Coq term bar in file f oo.v which is available for public download at [NiqOTaJ . Note that 
for notations that are overloaded between the homographic and quadratic case, in the first 
column we explicitly mention an argument. For brevity we drop this argument to the Coq 
functions; e.g. Bounded(;u) is in fact formalised as digit s.Bounded_M mu but we ignore 
mu. 
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Item in article 


Formalised Version 


rs^ 


digit s.bisim 


Bounded(/i) 


digits . Bounded_M 


Bounded(^) 


digits . Bounded.! 


Ref(//) 


digits . Is_ref iningjyi 


Ref(0 


digits . Is jref ining_T 


DIG 


digits. Digit 


L 


digits .LL 


R 


digits. RR 


M 


digits .MM 


DIG^ 


digits .Reals 


Incl(/i, _) 


digits . Incl_M 


Incl(e,_) 


digits. Incl_T 


o (two matrices) 


digits . product 


o (matrix and tensor) 


digits .m_product 


•i 


digits . lef t_product 


•2 


digits . right_product 


Eh 


homographic . emitsJi 


rrih 


homographic .modulus Ji 


Incldec(Ai,-) 


digits . Incl_M_dec_D 


£^hab-inv 


homographic . emits_h_absorbs_inv 


Lemma |3.i| 


homographic .modulus Ji_P I 


Lemma 13.2111 


homographic. modulus b T, 


Lemma 13.2121 


homographic .modulus Ji_R 


Lemma 13.2131 


homographic .modulus Ji_M 


Lemma |3.2|4| 


homographic .modulus Ji_absorbs 


*/^ 


homographic . step_productive_h 


Ph 


homographic . product iveJi 


Ph-Eh 


homographi c. product i ve h emitsJi 


ruh-Ph 


homographic. modulus_h_productiveJi 


Lemma 13.3111 


homographic . step_productiveJi_inv_l 


Lemma 13.3121 


homographic . step_productiveJi_inv_2 


h 


homographic . homographic 


Lemma |3.4| 


homographic . homographi c_EP I 


Lemma 13.5111 


homographic . homographic_emits_L 


Lemma 13.5121 


homographic . homographic_emits_R 


Lemma 13.5131 


homographic . homographic_emits_M 


Lemma 13.5141 


homographic . homographic^bsorbs 


E, 


quadratic . emits_q 


ruq 


quadratic .modulus _q 


Incldec(^,-) 


digits . Incl_T_dec_D 


^gafe-inv 


quadratic . emits_q_absorbs_inv 


% 


quadratic . step_productive_q 


p. 


quadratic .product ive_q 


Pq-Eq 


quadratic .product ive_q_emits_q 


m.q.Pq 


quadratic. modulus_q_productive_q 


q 


quadratic . quadratic 
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Item in article 


Formalised Version 


Lemma 13.61 


quadratic . quadratic_EPI 


Lemma 13.7111 


quadratic . quadrat ic_emitsj^ 


Lemma |3.7|2| 


quadratic . quadrat ic_emits_R 


Lemma 13.7131 


quadratic . quadrat ic_emitsjyi 


Lemma 13.7141 


quadratic . quadratic_absorbs 


rep 


rep . rep 


^4.1^ 


rep.rep_stepl 


(|4.2|) 


rep . repX_inv 


Ot\n 


Streams_addenda . drop 


a~\ o.-.a^^ 


digits .product_init_rev 


(143D 


rep . rep_drop 


[-1 


Cauchy_streain . real_value 


^4.5^ 


ub.thesis_5_7_9 


(j4.6|) (lower bound) 


Cauchy .stream . rep JLb 


(j4.6|) (upper bound) 


Cauchy_streani . rep_ub 


^4.7^ 


rep . rep_inv_interval 


(|4.8|) 


Cauchy_streani . real_value_digits 


(|4.9|) 


Cauchy_streani . real_value_base_iiiterval 


(|4.1()D 


Cauchy .stream . rep_real_value 


(I4.11D 


Cauchy .stream . real_value_implies jrep 


(|4.12j) 


Cauchy .stream . rep_implies jreal_value 


6h 


hcorrectness . depthJi 


lioaoo . . . oa„_i 


hcorrectness .product_iiiit 


Lemma |5.1| 


hcorrectness . depthJi_modulusJi 


Lemma|5.2| 


hcorrectness . depth_h_Incl_M_inf _strong 


Lemma |5.3| 


hcorrectness . homographic_emits_strong 


Lemma |5.4| 


Ref ining_M . Incl_M_absorbs_Is_ref ining_M 


Theorem |5.5| 


hcorrectness . homographic_correctness 


~S, 


qcorrectness . depth_q 


^{aoo . . . oa„_i, /3oo . . . of3n-i) 


qcorrectness .product_initjzip 


Lemma |5.6| 


qcorrectness . quadratic_emits_strong 


Lemma |5.V| 


Ref ining_T . Incl_T_absorbs_Is_ref ining_T 


Theorem |5.8| 


qcorrectness . quadratic_correctness 

Bounded_M . denom_nonvanishing_M_Boundedjy[ 


Lemma|H.I|l|(^) 


Lemma|H.I|l|(^) 


Bounded_M . Bounded_M denom nonvanishing_M 


Lemma|H.ir2|(^) 


Ref ining_M . Isjref ining_M_property_f old 


Lemma|H.ir2|(^) 


Ref ining_M . Isjref ining_M_property 


Lemma 16. 1131 


Incl_M. Incljy[_L_f olded 


Lemma 16. 1141 


Incl_M . Incljy[_R_f olded 


Lemma 16. 1151 


Incl_M . Incljyuyi_f olded 


Lemma 16.2111 


Ref ining_M. Isjref ining_M_Bounded_M_product 


Lemma 16.2121 


Ref ining_M . Isjref ining_M_product 


diam(/i) 


digits . diameter 


red 


digits . redundancy 


Lemma |6.3| 


productivity_M . thesis_5_6_9 


\'c\] (for [:!^]) 


digits . eta_discriminant 
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Item in article 


Formalised Version 


Lemma |6.4|1| 
Lemma 16.4121 
Theorem l6.5l 
Lemma |6.6| 
Lemma |6.V| 
Lemma |6.8| 
Lemma |6.9| 
Lemma 16. 101 
Corollary IMU 
Lemma|6.12|l|(^) 
Lemma|6.12|l|(^) 
Lemma|6.12|2|(^) 
Lemma|6.12|2|(^) 
Lemma 16. 12131 
Lemma 10214I 
Lemma 16. 12151 
Lemma 16. 13111 


productivity J1 . diameter.product 
productivity J1 . diameter.product.init 
productivity J1 . thesis.5.6.10 
productivityJI.semanticjnodulusJi 
productivity J1. Isjref iningji.emitsji 
productivityJI.Isjref iningjyi.depthJi 
productivity J1. Isjref iningjijnodulusji 
productivity J1. Isjref iningjl.step.productiveji 
productivity J1. Isjref iningJI.productiveJi 
Bounded.! . denomjionvanishing.! .Bounded.! 
Bounded !. Bounded ! denom nonvanishing ! 
Refining.! . Is jref ining.!.property Jold 
Refining.! . Is jref ining.!.property 
Incl.! . Incl.!.L.f olded 
Incl.!. Incl.!Jl.f olded 
Incl.!. Incl.! jvi.f olded 
Refining.!. 

I s.refining.!.Bounded.!.leftj:ight. product 
Refining.! . Is jref ining.!.lef t jright.product 
digits . diameter2 
productivity.! . thesis.5.6.20 
productivity.! . upper.bound.diameter2 
productivity.! . thesis.5.6.19 
productivity.! . thesis.5.6.10 ' 
productivity.!. Is jref ining.!.eiiiits.q 
productivity.!. Isjref ining.!.step.productive.q 
productivity.!. Isjref ining.!.productive.q 


Lemma 16. 13121 

diam2(0 

Lemma 16. 141 
Lemma 16. 151 
Corollary 16.161 
Theorem 16.171 
Lemma 16. 181 
Lemma 16. 191 
Corollary 16.201 
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